Next Generation Firewalls (NGFW)

2/14/2018

Overview

Deciding on whether you need a Next Generation Firewall (NGFW) or a Universal Threat Management (UTM) appliance to protect your enterprise can be quite daunting for some companies to say the least. There is still some level of confusion in the market as to the differences between the two, while even the terminology itself is questionable as next generation firewalls actually do significantly more than just firewalling and enough vendors offer the same “next generation” features to make the term superfluous.

UTMs were the first on the scene more than 10 years ago as Small to Medium Size Businesses (SMBs) sought to consolidate multiple appliances by purchasing a single more manageable device combining firewall, IDS/IPS, anti-virus, anti-spam, virtual private network (VPN), load balancing, while adding content filtering along the way and more recently sandboxing to block evasive threats like ransomware, disguised as executables. Today many of those UTM features are migrating to cloud based services but nevertheless the bare-metal UTM appliance market remains strong and entry-level UTM offerings often start simple with cost-competitive, easy-to-deploy firewall functionality, adding optional features as needed.

NGFWs on the other hand also maintain the same functions as a traditional firewall including network-address translation (NAT), port and protocol filtering, stateful inspection and VPN, but introduce improved traffic filtering using deeper levels of packet content inspection up to the application layer in the OSI stack. Deep Packet Inspection (DPI) techniques used in NGFWs help improve control and visibility of users and devices. The increased network intelligence brings augmented content/application awareness and enables better malware detection. Most NGFWs also offer data loss prevention (DLP) by inspecting outbound traffic to detect sensitive data being leaked from organizations. However, NGFWs also perform access control and prevent malicious traffic by denying access to threats in the same way as an Intrusion Prevention System (IPS) in a UTM.

Gartner refers readers to their “Next-Generation Firewalls and Unified Threat Management Are Distinct Products and Markets” (1) document, which advises security managers to beware of vendor claims that a single product line can address enterprise and small business needs and goes on to note that although “vendors attempt to position their technology in the other market they have met with limited success”.For now the main distinction between the two appears to be in the DPI capabilities and the scalability of the supporting hardware, but the blur between UTMs and NGFWs may even grow as UTM vendors add more content aware, application-inspection capabilities while NGFW vendors unbundle or features in order to attract SMBs.

Market Outlook

According to an International Data Corporation (IDC) tracker release in March 2017, the total security appliance market showed positive growth in both vendor revenue and unit shipments for the fourth quarter of 2016 (4Q16). Worldwide vendor revenues in the fourth quarter increased 12% year over year to $3.3 billion, and units showed an all-time record high in shipments for a single quarter with 781,838 units and 24% annual growth. For the full year 2016, worldwide security appliance revenue increased 9.7% to $11.6 billion when compared to 2015, while worldwide unit shipments increased 18% for a little over 2.7 million units shipped in 2016.

IDC noted that the trend for growth in the worldwide market driven by the UTM sub-market continues, with UTM almost tripling its size over the last five years reaching record high revenues of $5.7 billion for 2016 and year-over-year growth of 17.3%, the highest growth among all sub-markets. In the tracker release, IDC estimates the UTM market to represent today almost 50% of the worldwide revenues in the security appliance market. The Firewall and Content Management sub-markets also had positive year-over-year revenue growth in 2016 with gains of 10.4% and 4%, respectively. The Intrusion Detection and Prevention and Virtual Private Network (VPN) sub-markets experienced weakening revenues in 2016 with year-over-year declines of 4.8% and 4.3%, respectively.

As security threats intensify, appliance markets continue to experience high growth in many areas especially network security, where demand for on premise hardware solutions in the unified threat management segment continues to grow.

Challenges

Competition in security markets remains strong as vendors initiate cyclical refreshes of their appliance hardware, upgrading performance and encryption capabilities to counter new security vulnerabilities and to maintain or improve on price/performance ratios. Vendor ability to lead in Enterprise markets also requires a comprehensive, balanced approach to on premise equipment deployment and support for highly virtualized infrastructure and public cloud.

Solutions

Advantech Networks and Communications Group (NCG) has been supplying high performance networking platforms to leading Network Equipment Providers (NEPs) and security vendors for packet processing on Intel Architecture for over 10 years. The FWA series of appliances leverages DPDK and Intel QuickAssist Technology across a broad range of commercial-off-the-shelf platforms from entry-level tabletop devices to mid-range SMB and ultra-high-end appliances.

Ideally suited to fit anywhere into a NG-FW or UTM portfolio, NCG’s product lines are deployed in volume in Enterprise datacenter, Provider Edge (PE) and Customer Edge (CE) equipment ranging from 2 to over 300 processor cores offering a broad choice of port counts and speeds from 1 to 100Gbe.

Figure 1 Broad range of Network Security Platforms based on Intel Architecture from 1 to over 300 processor cores

The FWA-4231 is particularly well suited for cost optimized mid-range NG-FW deployment. The FWA-4231 is based on the 4th generation Intel® Xeon® Processor E3 series and Intel® Core™ i7/i5/i3 Processors. It features a modular design with four Network Mezzanine Card expansion slots and supports up to 32 x 1GbE or 16 x 10GbE interfaces, making it ideal for NG-FW deployment. The system is powered by an Intel® Xeon® Processor E3-1200V3 with support for up to 4 Cores/8 threads. The data plane development kit (DPDK) is supported on all network interfaces providing an increase of up to 10x packet throughput, while a full-height/half-length PCIe gen3 x8 slot provides further I/O expansion or crypto acceleration and offload using Advantech PCIe cards with Intel® QuickAssist Technology. In addition, ECC memory technology protects against data corruption by automatically detecting and correcting memory errors, ensuring higher levels of availability.

Figure 4. FWA-4231 NG-FW deployment scenarios

Tailor-Made Branding Packaging and logistics

Branding, packaging and logistics are key elements in choosing an appliance supplier. Starting from commercial-off-the-shelf platforms, Advantech offers personalized products through a range of specialized services, including customized cost optimization. All of its platforms are application-ready with branding options available including chassis colour, logo and front bezel design. Additionally, customers can optimize Advantech modular appliances and server hardware through a customized COTs program to reach their sweet spot of price, performance and functionality.

Through Advantech Integration Centers around the world and those of System Integrator partners, Advantech offers extensive integration and test services prior to packaging and labelling according customer specifications. Advantech’s worldwide logistics network offers a flexible delivery model to meet unique customer needs and budget. Advantech simplifies its customer’s logistical networks, helping them to bring their networking products to market on time, and enjoy a timely return on investment.